Third-party risk management data model

  • Release version: Yokohama
  • Updated March 12, 2026
  • 8 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Third-party Risk Management Data Model

    The Third-party Risk Management (TPRM) data model in ServiceNow’s Yokohama release enables organizations to assess, monitor, and mitigate risks associated with third parties effectively. As part of the Governance, Risk, and Compliance suite, this model structures data and processes to support comprehensive risk management across vendor engagements, due diligence, scoring, and risk intelligence.

    Show full answer Show less

    Core Components and Relationships

    • Third-party Risk Assessments: Central to managing third-party risk, the model includes internal assessments, tiering assessments, external assessments, and templates that define questionnaires and metrics. These components interrelate to capture detailed risk evaluation data.
    • Due Diligence: Manages requests, vendor contacts, risk intelligence scores, and related issues or tasks. It supports tracking and updating the risk status of third parties through multiple assessment types.
    • Scoring Setup: Aggregates and calculates risk scores from assessments using configurable rules and criteria without customization. Scoring rules enable grouping third parties or engagements and assigning weighted criteria to generate risk ratings.
    • Risk Intelligence: Integrates external risk data providers and their services, linking to risk intelligence scores and subfactors to enrich the risk profile of third parties.
    • Smart Assessment Engine (SAE) Integration: Extends TPRM capabilities with advanced assessment templates, scoring normalization, issue generation, and automation workflows to streamline risk evaluations and post-assessment actions.

    Data Model Relationships

    The model defines various one-to-many and many-to-many relationships among components such as third parties, engagements, assessments, risk scores, and vendor contacts. These relationships ensure comprehensive linkage and traceability between entities involved in managing third-party risks.

    User Roles and Permissions

    • Approvers: Authorize due diligence requests.
    • Contract Negotiators: Handle contract risk during onboarding.
    • Assessment Reviewers and Assessors: Edit and manage assessments, risk issues, and third-party data.
    • Risk Managers and Administrators: Oversee templates, metrics, and entire risk management data with full control.

    These roles ensure proper governance and access control throughout the TPRM process.

    Practical Benefits for ServiceNow Customers

    • Provides a structured, integrated approach to third-party risk management supporting risk identification, assessment, scoring, and mitigation.
    • Enables automation and workflow integration for due diligence and issue management, improving efficiency and accuracy.
    • Supports configurable scoring and risk intelligence integration to tailor risk evaluations to organizational needs.
    • Facilitates clear role definitions for secure and controlled access to risk data and processes.
    • Leverages Smart Assessment Engine for enhanced assessment capabilities and post-assessment workflows.

    Next Steps

    ServiceNow customers can leverage this data model to configure and extend their third-party risk management programs. For detailed implementation guidance, review the related documentation on roles, assessment workflows, scoring calculations, due diligence processes, and Smart Assessment Engine integration.

    Use the Third-party Risk Management (TPRM) data model to assess, monitor, and mitigate the risks for your risk management program.

    TPRM data model overview

    The Third-party Risk Management application is one of the Governance, Risk, and Compliance products.

    The following model is used to support TPRM's capabilities.

    Figure 1. TPRM data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    The third-party risk assessment data model includes various components and relationships:

    Components:
    • Risk intelligence score [sn_vdr_risk_asmt_security _score]
    • Internal assessment [sn_vdr_asmt_internal_assessment]
    • Tiering assessment [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Event-driven management history [sn_tprm_dd_rule_execution_history]
    • Third-party due diligence request [sn_tprm_dd_request]
    • Company [core_company]
    • Event-driven management rule [sn_tprm_dd_generation_rule]
    • Third-party risk assessment [sn_vdr_risk_asmt_assessment]
    • Third-party engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Vendor contact [vm_dr_contact]
    • Assessment metric type [asmt_metric_type]
    • Assessment template [sn_vdr_risk_asmt_assessment_template]
    • Third-party risk issue [sn_vdr_risk_asmt_issue]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Engagement level risk rating [sn_vdr_risk_asmt_engagement_level_rating]
    • Risk [sn_risk_risk]
    • Control [sn_compliance_control]
    Relationships:
    • The third-party risk assessment component can have a one-to-many relationship with the following components:
      • Event-driven management histories
      • Third-party due diligence requests
      • Company
      • Third-party engagements
      • Third-party risk issues
      • Assessment templates
    • The Event-driven management histories component can have a many-to-one relationship with the Event-driven management rules component.
    • The Event-driven management rules component can have a one-to-many relationship with the Assessment metric type component and the Assessment template component.
    • The third-party engagement component can have a one-to-many relationship with the following components:
      • Company
      • Engagement risk scoring rule
      • Third-party risk issue
    • The Third-party engagement component can have a many-to-many relationship with the Vendor contact component.
    • The Vendor contact component can have a one-to-many relationship with the Company and a Third-party risk issue component.
    • The Engagement level risk rating component can have a one-to-many with the Third-party engagement component.
    • The Third-party engagement component is related to the Risk and Control component.
    • The Risk intelligence score component is related to the Third-party due diligence component.
    • The Tiering assessment component can have a one-to-many relationship with the following components:
      • Third-party due diligence
      • Third-party engagement
      • Company
    • The Tiering assessment component can have a many-to-many relationship with the Assessment metric type component.
    • The Third-party due diligence component can have one-to-many relationships with the following components:
      • Event-driven management history
      • Third-party risk assessment
      • Company
    • The following components are related to Risk due diligence:
      • Event-driven management rule
      • Event-driven management history
      • Third-party risk due diligence request
    • The following components are related to Third-party management:
      • Risk intelligence score
      • Internal assessment
      • Tiering assessment
      • Third-party risk assessment
      • Third-party engagement
      • Assessment template
      • Third-party risk issue
      • Engagement risk scoring rule
      • Engagement level risk rating
    • The internal assessment component is an extension of the tiering assessment component.
    • The Control component is related to Policy and Compliance Management.
    • The Risk component is related to Risk Management.
    • The following components are Global:
      • Vendor contact
      • Company
      • Assessment metric type
    The following table lists the roles that are required for the components in the TPRM data model.
    Table 1. Roles for the TPRM data model
    Role Description
    sn_vdr_risk_asmt.approver Approve due diligence requests in the third-party risk management process.
    sn_vdr_risk_asmt.contract_negotiator Work in the contract risk process stage of the onboarding process.
    sn_vdr_risk_asmt.vendor_assessment_reviewer Edit assessments.
    sn_vdr_risk_asmt.vendor_assessor Manage third parties, third-party contacts, third-party risk assessments, and issues, and complete third-party risk assessment requests.
    sn_vdr_risk_asmt.vendor_risk_admin Have full control over all vendor risk management data and assessment metric types.
    sn_vdr_risk_asmt.vendor_risk_manager Manage third parties, third-party contacts, third-party assessment templates, questionnaire templates, documentation request templates, and scheduled assessments.

    For more information on the roles, see Roles in Third-party Risk Management.

    Core components

    TPRM is based on sending assessments and calculating scores from the received responses.

    You can use these core components to perform assessments:
    • Third-party risk assessment
    • Third-party engagement
    • Third-party due diligence
    • Scoring setup
    • Risk intelligence

    The following diagram shows the main tables and flow for a third-party risk assessment of the TPRM data model.

    Figure 2. Third-party risk assessment data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables or third-party risk assessments. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Third-party risk assessment data model.

    Components:
    • Internal assessments [sn_vdr_risk_asmt_internal_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Assessment template [sn_vdr_risk_asmt_template]
    • Questionnaire templates [asmt_metric_type]
    • Questionnaire instance [asmt_assessment_instance]
    • Category [asmt_metric_category]
    • Metric [asmt_metric]
    Relationships:
    • The Metric component can have a many-to-one relationship with the Category component.
    • The Category component can have a many-to-one relationship with the Questionnaire component.
    • The Questionnaire templates component can have a many-to-one relationship with the following components:
      • Assessment template
      • Tiering assessments
      • External assessments
    • The Questionnaire instance component can have a many-to-one relationship with the following components:
      • External assessments
      • Tiering assessments
    • The Assessment template component can have a one-to-many relationships with the following components:
      • Tiering assessments
      • External assessments
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The Internal assessment components are related to Risk due diligence.
    • The following components are related to Third-party management:
      • Tiering assessments
      • External assessments
      • Assessment templates
    • The following components are Global:
      • Questionnaire templates
      • Category
      • Metric
      • Questionnaire instance

    For more information on assessments, see Assessing your third-party risk.

    The following diagram shows the main tables and flow that are used for the due diligence in the TPRM data model.

    Figure 3. Due diligence data model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables used for due diligence. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the due diligence data model.

    Components:
    • Third party [core_company]
    • Engagements [sn_vdr_risk_asmt_vendor_engagement]
    • Due diligence [sn_tprm_dd_request]
    • Issues [sn_vdr_risk_asmt_issue]
    • Tasks [sn_vdr_risk_asmt_task]
    • Vendor contacts [vm_vdr_contact]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • External assessments [sn_vdr_risk_asmt_assessment]
    • Tiering assessments [sn_vdr_risk_asmt_vdr_tiering_assessment]
    • Internal assessments [sn_vdr_risk_asmt_vdr_internal_assessment]
    Relationships:
    • The Third party component has a one-to-many relationship with subsidiaries.
    • The Third party component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Risk intelligence scores
      • Issues
      • Tasks
    • The Due diligence component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • Tiering assessments
      • Risk intelligence scores
    • The Engagements component has a one-to-many relationship with the following components:
      • Vendor contacts
      • Internal assessments
      • External assessments
      • Tiering assessments
      • Issues
      • Tasks
    • The Third party component is related to the Due diligence component.
    • The Engagements component is related to the Due diligence component.
    • The External assessments component is related to the Due diligence component.
    • The Internal assessment component is an extension of the Tiering assessment component.
    • The following components are related to Risk due diligence:
      • Due diligence
      • Internal assessments
    • The following components are related to Third-party management:
      • Engagements
      • Issues
      • Tasks
      • Risk intelligence scores
      • External assessments
      • Tiering assessments
    • The following components are Global:
      • Third party
      • Vendor contact

    The following diagram shows the required roles, processes, and choices that are part of the due diligence workflow.

    Figure 4. Due diligence workflow
    Work flow that shows the required roles, processes, and choices that exist as part of the due diligence workflow.

    For more information on the due diligence workflow, see Due diligence workflow.

    The following diagram shows the main tables that are used for scoring the TPRM data model.

    Figure 5. Scoring data model
    Relationship between due diligence, third-party management, policy and compliance, and risk main tables that are used for scoring risk. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the scoring data model.

    Components:
    • Third party [core_company]
    • Third-party risk scoring rule [sn_vdr_risk_asmt_vendor_risk_scoring _rule]
    • Component criteria [sn_vdr_risk_asmt_component_criteria]
    • Components [sn_vdr_risk_asmt_component]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Engagement risk scoring rule [sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • Risk area criteria [sn_vdr_risk_asmt__risk_area_criteria]
    • Risk domains [sn_vdr_risk_asmt_risk_area_definition]
    Relationships:
    • The Risk area criteria component has a one-to-many relationship with the Risk domain component.
    • The Risk area criteria component has a one-to-one relationship with the Engagement risk scoring rule component and the Third-party risk scoring rule component.
    • The Engagement risk scoring rule has a one-to-many relationship with the Engagement component.
    • The Component criteria has a one-to-many relationship with Components.
    • The Component criteria has a one-to-one relationship with the Third-party risk scoring rule component.
    • The Third-party risk scoring rule component has a one-to-many relationship with the Third-party component.
    • All of these components are related to Third-party management.

    Use the scoring setup in TPRM configure how the scores from the external risk assessments are aggregated to the engagements and third parties. The criteria tables have the information that is related to the aggregation of the scores of multiple records (MIN, MAX, AVG) or from multiple tables (weights for each table). Use the scoring rules to group third parties or engagements and assign criteria. You can configure all the records in these tables without any customization.

    For more information on scoring, see Scoring calculations using the classic assessment engine.

    The following model diagram shows the main tables that are used for risk intelligence in the TPRM data model.

    Figure 6. Risk intelligence model
    Relationship between the risk due diligence, third-party management, policy and compliance, and risk main tables. For a text description, refer to the text that follows.

    Here are the components and relationships that make up the Risk intelligence data model.

    Components:
    • Third party [core_company]
    • Provider Services [sn_vdr_risk_asmt_tpss_provider]
    • Risk intelligence scores [sn_vdr_risk_asmt_security_score]
    • Score subfactors [sn_vdr_risk_asmt_tpss_subfactor]
    Relationships:
    • The Risk intelligence providers component has a one-to-many relationship with the Providers Services component.
    • The Providers Services component has a one-to-many relationship with the Risk intelligence scores component.
    • The Risk intelligence scores component has a one-to-many relationship with the Scores subfactors component.
    • The Risk intelligence scores component is related to the Risk intelligence providers component.
    • All of these components are related to Third-party management.

    For more information on risk intelligence, see Risk intelligence report requests management.

    SAE TPRM data model

    The following model diagram shows the main tables that are used for Smart Assessment Engine in TPRM.

    Figure 7. SAE TPRM data model
    For a text description, refer to the text that follows.

    Here are the components and relationships that make up the SAE TPRM data model.

    Components:
    • Assessment to SAE Questionnaire Templates [sn_vdr_risk_asmt_m2m_tiering_sae_template, sn_vdr_risk_asmt_m2m_tpra_sae_template]
    • TPRM Assessments [sn_vdr_risk_asmt_assessment, sn_vdr_risk_asmt_internal_assessment]
    • Engagement [sn_vdr_risk_asmt_vendor_engagement]
    • Scoring Rules [sn_vdr_risk_asmt_vendor_risk_scoring_rule, sn_vdr_risk_asmt_engagement_risk_scoring_rule]
    • SAE Instance [sn_smart_asmt_instance]
    • SAE Questionnaire Template [sn_vdr_risk_asmt_sae_questionnaire_template]
    • SAE Rating Scale [sn_vdr_risk_asmt_sae_rating_scale]
    • Scoring Normalization (represented by SAE rating scale and score‑mapping tables: sn_vdr_risk_asmt_sae_rating_scale, sn_vdr_risk_asmt_score_mapping)
    • Issue-generation rule [sn_vdr_risk_asmt_issue_generation_rule]
    • Post-assessment Automation (issue generation, workflow triggers)
    Relationships:
    • The Assessment to SAE Questionnaire Templates component has a many-to-one relationship with TPRM assessments.
    • The Assessment to SAE Questionnaire Templates component has a one-to-one relationship with the SAE instance component.
    • The TPRM Assessments component has a many-to-one relationship with the Engagement component.
    • The Engagement component has a many-to-one relationship with the Scoring Rules component.
    • The SAE Questionnaire Template component has a many-to-many relationship with the SAE Rating Scale component.
    • The SAE Rating Scale component has a one‑to‑many relationship with the Scoring Normalization component.
    • The SAE Questionnaire Template component has a many-to-one relationship with the Issue-generation rule component.
    • The SAE Questionnaire Template component has a one-to-many relationship with the Post-assessment Automation component.

    For more information on Smart Assessment Engine and TPRM, see Smart assessments with Third-party Risk Management.